CVE-2020-26229
Last modified
CVE-2020-26229 is a low-severity vulnerability rated 3.7/10 on the CVSS scale. TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. EPSS estimates a 0.64% chance of exploitation in the next 30 days.
Description
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. Update to TYPO3 version 10.4.10 to fix the problem described.
Metrics
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Typo3 | Typo3 | >= 10.0.0, < 10.4.10 |
References
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2Third Party Advisory
- https://typo3.org/security/advisory/typo3-core-sa-2020-012Vendor Advisory
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2Third Party Advisory
- https://typo3.org/security/advisory/typo3-core-sa-2020-012Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-26229?
How severe is CVE-2020-26229?
How do I fix CVE-2020-26229?
Are you affected by CVE-2020-26229?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST